Skip to content

Responsible Disclosure Policy

This policy is intended to give guidance for submitting potential security issues (vulnerabilities) discovered on Moonpig Group's website, mobile apps or other resources.

Following the responsible disclosure process allows us to take appropriate steps to address any vulnerabilities, thereby protecting our customers and systems.

The scope of this policy includes:

  • *

  • *

  • *

  • *

  • *


Moonpig Group currently runs a private bug bounty program on We value those who take the time and effort to report security vulnerabilities according to this policy and may be able to offer monetary rewards for bug reports depending on the scope and severity of the submission.

If you have identified a vulnerability that you wish to disclose, we ask that you:

  • Email [email protected] with a high-level summary, including the type of vulnerability and affected domain. Please also include your Intigriti username so we can invite you to the private program.

  • Don’t access unnecessary, excessive or significant amounts of data. 

  • Only use your own accounts to demonstrate impact. Don't target any of our customers’ accounts.

  • Please do not discuss or post vulnerabilities without our consent (including blog posts, PoC's on YouTube and Vimeo).

  • Don’t run any automated tools against our website or APIs (examples include, but are not limited to, Nikto, Burp scanner, Nessus, etc).

  • Don’t target our physical security, perform any social engineering, denial of service, spam or target applications of third parties, or otherwise break any laws.


What you can expect from us:

  • We’ll respond to you within 5 working days acknowledging your report.

  • We’ll keep you up-to-date as we investigate and address your report.